http://evolt.org/article/Spam_Proofing_Your_Website/20/41849/index.html
Spam-Proofing Your Website
Print Article
By Dan Thies (optimization)
Member info / Bio
--------------------------------------------------------------------------------
User since: 09/28/2002
Last login: 10/25/2002
Articles written: 1
Average rating: 3.56
Total ratings: 9
Spam-Proofing Your Website
Anyone who operates their own website knows that you need to provide a way for visitors to contact you by email. The big challenge is providing easy email access to your visitors, without letting junk mail (SPAM) flood your email inbox. The techniques described in this article have enabled me to dramatically reduce the amount of junk mail I receive on all of my websites.
Preparing and Preempting
You need a couple things before you can really take effective action against SPAM. Your email software must be capable of filtering incoming email. All of the major email applications (such as Eudora, Outlook, and Pegasus) support filtering. We will use multiple email addresses to allow us to filter out SPAM and identify the source - you can't combat SPAM effectively without them.
You need to use a website hosting provide that allows unlimited email aliases or addresses, and/or a catch-all email address. An "alias" is an email address that forwards to some other address (for example, webmaster@domain.com forwarding to your real email address). A "catch-all" email address will forward any emails sent to unknown addresses in your domain.
For my own websites, I just use the catch-all, so that every message goes to my real email address. If you have more than a one-person operation, however, multiple email accounts and aliases are pretty much a necessity. Any email address you use online could become a target of spam. If your hosting provider is especially good, you may even be able to create email aliases that automatically delete all incoming messages.
Fighting Back
The first step in fighting back against the spammers is understanding where they get your email address. You must diligently protect your email address, if you ever hope to stop them. Once your email address gets into the wrong hands, it will be sold on CD-ROM (via junk mail, of course) to thousands of spammers. Once that happens, you've lost the fight.
Spam Source #1: Domain Name Registrations
When you register a domain name, you must provide a contact email address. If you give them your real email address, you've just given it to everyone, including the spammers. Instead, use a portable email address (like Hotmail) to set up your domain.
If you have multiple domains, you can also use an alias (domains@yourdomain.com) on your primary domain for all registrations. With an alias, you can use your email software to filter out and save any emails that come to that address from your registrar's domain.
Spam Source #2: Web Forms & Email Newsletters
If you give your real email address on any web form, or use it to subscribe to an email newsletter, you are asking for trouble. Instead, create a unique email address for each website or newsletter. I just use the website's domain name for this.
For example, if you subscribe to the "evolt.org" mailing list as "evolt.org@yourdomain.com" and let your catch-all address route it to you, you will always know where the email came from. If that address ever starts receiving junk mail, you can filter it out using your email software.
If you submit to search engines or free-for-all links pages (FFA's), use a unique email address every time. FFAs, in particular, are famous for flooding the world with junk mail. Once you've given an email address to an FFA, you may as well forget about ever using it again.
Spam Source #3: Your Website
The biggest source of email addresses used by spammers is your website. Most websites list multiple contact addresses, etc. Any time an email address appears on your website in plain text, even if it's hidden in a form field, you're opening yourself up to having that email address captured.
To combat this menace, I've developed a set of JavaScript snippets that will meet almost every need you have to display your email address to the public, without allowing spambots to see it.
The Big Battle: Securing Your Website From Spambots
Almost every website operator wants search engine spiders to visit. After all, search engines are the best source of free traffic on the web. In the event that you don't want them to visit, they are easily kept at bay with a properly formatted "robots.txt" file.
Unfortunately, there's another group of spiders out there crawling the web, with an entirely different purpose. These are the spiders that visit site after site, collecting email addresses. You may know them as spambots, email harvesters, or any number of unpublishable names.
When it comes to controlling these rogue spiders, a robots.txt file simply won't get the job done. In fact, most spam robots ignore robots.txt. That doesn't mean you have to give up, and just let them have their way. The following techniques will stop these spiders in their tracks.
Technique #1: Use JavaScript To Mask Email Addresses
One of the weaknesses that spiders of all kinds suffer from is an inability to process scripts. Adding a small snippet of JavaScript in place of an email address effectively renders the address invisible to spiders, while leaving it accessible to your visitors with all but the most primitive web browsers.
In the examples below, simply substitute your username (the first half of your email address, everything before the @ symbol) and your hostname (everything after the @ symbol). To use the scripts, just insert them into your page's HTML wherever you need them to be displayed.
Example 1: Creating A Spam-Proof Mailto Link
This snippet of JavaScript code creates a clickable link that launches the visitor's email application, assuming that their system is configured to work with "mailto:" hyperlinks. You can replace the link text with your own message, but see example 2 if you want to display your email address as the link text.
<script language=javascript>
<!--
var username = "username";
var hostname = "yourdomain.com";
var linktext = "Click Here To Send Me Email";
document.write("<a href=" + "mail" + "to:" + username +
"@" + hostname + ">" + linktext + "</a>"
//-->
</script>
Example 2: A Spam-Proof Mailto Link With Your Email Address Showing
Some visitors won't be able to use a mailto link. This snippet shows your email address in the link so they can copy and paste, or type it by hand:
<script language=javascript>
<!--
var username = "username";
var hostname = "yourdomain.com";
var linktext = username + "@" + hostname;
document.write("<a href=" + "mail" + "to:" + username +
"@" + hostname + ">" + linktext + "</a>"
//-->
</script>
Example 3: Display Your Email Address Without A Mailto Link
Here's a snippet that displays your email address a clickable link:
<script language=javascript>
<!--
var username = "username";
var hostname = "yourdomain.com";
var linktext = username + "@" + hostname;
document.write(username + "@" + hostname)
//-->
</script>
Technique #2: Use A Contact Form
Sometimes, the sheer volume of legitimate email from real visitors can become a burden. In this case, a simple solution is to remove your email address from your site entirely, and use a contact form. There are dozens of free ASP, Perl, and PHP scripts available online that will allow your users to fill in a form, and send you an email. Most hosting providers now offer this service for free to their customers.
A contact form can enable you to deal with a higher volume of mail, by allowing you to pre-sort different types of message. This is easily accomplished by creating a drop-down menu with different options (e.g. customer service, billing, tech support, etc.) that will populate the subject line of the email message, and/or change the email address to which the form is sent.
Since many spambots simply read the entire HTML source of the page, looking for anything that looks like an email address, your contact form will not protect you, if you include your email address in the HTML for your contact form (for example, as a hidden field). You can use JavaScript, as in the example below, to mask the address, or if you have the skill, you can embed the email address in your form processing script, where nobody can find it.
Example 4: Masking The Email Address In A Form Field
Instead of simply listing your email address in a form field, use the snippet below to replace the form field that contains your email address.
<script language=javascript>
<!--
var username = "username";
var hostname = "yourdomain.com";
var linktext = username + "@" + hostname;
document.write("<input type=hidden name=email value=" +username + "@" + hostname" + ">";
document.write(username + "@" + hostname);
//-->
</script>
All contact forms, regardless of the language used, will work more or less the same way. Users will fill out a form, which is processed by a script on your server that emails the submissions to you. Because the script that runs on your server, your visitors never see the contents of that script. Hiding your email address in the script provides the greatest security, but this does require some programming knowledge. Form-to-email scripts that are offered by hosting companies almost always require the email address to be included as a hidden form field in your web page.
Disadvantages of an all-JavaScript approach
The main drawback to using JavaScript is, of course, browser compatibility. While the most popular web browsers all support JavaScript, a small percentage of users will be unable to see them. Only you can make the ultimate decision on whether the needs of these users are greater than the need to stop spammers. Offering a contact form to those users can reduce the problem for these users.
If you take this approach, it is much better to hide your email address within the script itself, rather than in the HTML code of your page. If you can't hide the address in the script, use an email alias, so that you can change the email address in the form from time to time, whenever the spam gets out of hand.
Advanced Techniques: URL Rewriting
Both the Apache and IIS web servers have plug-in URL-rewriting modules that can be used to provide additional protection to your website, by redirecting queries from known spambots to a blank page, or to another website. These techniques are beyond the scope of this article, and using them will slow your server down, if only a little. For a good discussion on using this technique, including its use to combat spambots, see http://www.webmasterworld.com/forum13/687.htm.
URL-rewriting is a powerful technique, however, and should not be overlooked. In addition to its potential value in deterring spam, it can also be used to prevent users from downloading your website with offline browsers, MS FrontPage, etc. If your content must be protected from unauthorized copying or other misuse, judicious use of URL-rewriting may be exactly what the doctor ordered. Be aware, though, that not everyone attempting to download your website is doing so with bad intentions.
For a good example of what you might want to show those who try to download your site, see this page: http://www.purplemath.com/terms.htm.
Thanks for reading...
I hope that this tutorial has given you a clear understanding of how to protect your website, and your email address, from spammers and spambots. Your feedback is welcome. If you have any questions about this article, feel free to contact me through my website. The (spam-proof) email link can be found at the bottom of my home page.
I wish you success...
Dan Thies has been helping his clients (and friends) promote their websites since 1996. His latest book, "Search Engine Optimization Fast Start," offers a simple, step by step plan to increase your website's search engine traffic.
Rating
This article currently has a rating of 3.56 out of 9 total ratings.
Would you like to rate this article? Article ratings encourage evolt.org contributors to keep writing the good stuff. Help make our authors feel wanted! You need to log in to rate an article. You can enter your username and password on the right. If you aren't a member of evolt.org yet, register and become a part of the community!
Reader Comments
[Link]
Other interesting reads
garrett wrote on 10/23/2002 at 4:43 AM
Good article with a lot of useful tips.
It's also worth having a look at Daniel Cody's two articles on stopping spambots:
Using Apache to stop bad robots
Stopping Spambots II - The Admin Strikes Back
Lot's of information on how to configure Apache to stop spambots in their tracks from a server administrator point of view.
[Link]
For IIS admins, yes you can
optimization wrote on 10/23/2002 at 8:05 AM
Although I don't use anything but Apache, you can also do URL-rewriting on the Microsoft web server with IISRewrite:
http://www.qwerksoft.com/products/iisrewrite/
It's compatible with mod_rewrite, which should make life easier for you puppets of the Microsoft empire, since there's plenty of Apache documentation all over the web.
[Link]
accessibility issues
branko wrote on 10/23/2002 at 9:03 AM
Some of the methods you mention make one less accessible. It is all fine and dandy to use a Hotmail account for registering a domain, but if you never read that mail, you've just made yourself that bit less accessible. (Not to mention that you may have broken the rules of the domain controller by doing so.)
I use the 'unique' address myself a lot. So now I know that most of the spam I get on my business account I get through my listing on the yellow pages. Then again, most of my prospects come through the yellow pages, so you won't hear me complain.
What makes spammers different from almost everyone else, is that they use automated means to harvest your address. Perhaps there are legitimite reasons for harvesting e-mail addresses, but I don't know of any.
Cameron Gregory of bloke.com (see the bottom of the page) makes handy use of this fact, by offering e-mail addresses on his web site that he will not read. A human visitor will read this and refrain from using the fake addresses. The spammer will send his warez to both the real and the fake addresses, and will identify himself as a spammer this way.
In the end, there are only two effective methods for fighting spam, and those are to A) fight the spammers, and B) make spamming cost prohibitive. All other methods are at most damage control (spam filters) and in the worst case burying your head in the sand like an ostrich (spam blocks using JavaScript).
(A) requires that, for instance, you will only vote for politicians who take an extremely hard stance on spammers. Even if they do not get voted into office, this will at least give a strong signal that people won't stand for spam. A lot of politicians still see spam as a legitimate way to advertise. It should be made clear to them that it is not.
(Ironic anecdote: spammers recently won a court case in the Netherlands where the judges found that changing an e-mail address is so easy that they saw no reason to prohibit spam. Following this opinion, a spammer started spamming politicians, and suddenly a different judge found that spam should be prohibited. I guess it matters who you harass. That is not a nice signal for any democracy to emit.)
(B) requires a different e-mail protocol. There is some talk about a protocol in which messages remain on the senders' e-mail server until they get collected by the user.
Both methods take time and require us all to take our responsibility.
You have to wonder whether it is fair to punish your users for the behaviour of spammers though.
[Link]
no argument here, but..
optimization wrote on 10/23/2002 at 10:10 AM
I don't really see this as "punishing users." It's important to be accessible, but I just don't see it in the extremes either way. If you have an email address on your site that uses Javascript and a contact form for 99% of the other folks, it's hard to argue that you can't be reached.
These scripts aren't really pushing the envelope of browser compatibility. Most users who would have a problem with this approach are also unable to use the majority of commercial websites, period.
My goal here was to offer some help to folks who don't necessarily have your level of skill. It's easy enough to implement, that the do-it-yourselfer can usually handle it. These folks can't "make spam cost prohibitive," (can you?) so damage control (what you would call the 'ostrich' method) is the only option.
WRT domain registrations, you obviously can't use an email address you never read - renewal notices, etc. are going to come to that address, but a unique address is essential. I have an email account that receives over 300 junk mails a day, and it has never been published anywhere except WHOIS.
That's enough for now, gotta go bury my head in the sand again, but I'm taking the straw man with me.
[Link]
A server-side approach
simonc wrote on 10/24/2002 at 11:50 AM
I've come up with a server-side approach that uses a couple of tricks to generate a live mailto link which doesn't depend on javascript. I'm not completely happy with it yet, but it does offer a reasonable solution.
Feedback and suggestions welcome.
[Link]
Attributes
giz wrote on 10/24/2002 at 2:50 PM
Don't forget to add the type="text/javascript" attribute to the script tags if you want the code to validate.
It seems like nearly every JavaScript tutorial on the web forgets to mention this point.
[Link]
An almost bullet proof server side technique
skunk wrote on 10/24/2002 at 3:33 PM
I came up with an idea a few months ago to stop spam bots which (in theory) should be pretty muich bullet proof: Hide your address behind a web form using the POST method:
http://simon.incutio.com/archive/2002/09/11/newFormOfSpamProtection
In order to grab my address spam harvester bots would have to evolve to the point where they identify ALL forms on a page and submit every single on of them - this seems like way too much hassle to be worth bothering with, especially as the kind of people who take that much effort to hide their email addresses are almost certinaly not the kind of people to fall for Nigerican con artists or bizzare get-rich-quick schemes.
[Link]
Free contact form scripts
shaggy wrote on 10/25/2002 at 7:25 AM
I wouldn't use a free contact form scrpt. Defining the recepient email as a hidden form field is unsecure enough for me.
Otherwise I wouldn't call Opera (or any other feature rich browser) with JavaScript turned off one of the most primitive web browsers.
Add your comment:
Want to join the conversation? You need to log in to post a comment! You can enter your username and password on the right. If you aren't a member of evolt.org yet, register and become a part of the discussion!